Threat score determination

1. A method comprising: detecting, by a computer, a change in malicious activity for a security object; identifying, by the computer, an indicator that provides contextual information for the security object; determining, by the computer, a first linked resource that is associated with a first database record of the security object; determining, by the computer, a threat score associated with the security object; determining, by the computer, a relationship between the first linked resource and the security object; determining, by the computer, a second linked resource that is associated with the first linked resource by a second database record; determining, by the computer, a number of levels between the first linked resource and the second linked resource; comparing, by the computer, the number to a threshold; determining, by the computer, an influence of the second linked resource on the first linked resource based on the comparison; and determining, by the computer, a threat score for the security object based on the indicator, a threat score for the first linked resource, the relationship between the first linked resource and the security object, and the influence.

2. The method of claim 1 , wherein the first linked resource and the second linked resource are part of a plurality of linked resources, the method further comprising: identifying the plurality of linked resources; and determining a threat score for each linked resource of the plurality of linked resources based on the indicator, the threat score of the indicator and a relationship between the each linked resource and the security object.

3. The method of claim 1 , further comprising: retrieving information for the security object from an external data source; and adjusting the threat score for the security object based on the information for the security object from the external data source.

4. The method of claim 1 , further comprising: determining a plurality of malicious linked resources that are associated with the first database record; and adjusting a threat score for the first database record based on a[[the]] number of the plurality of malicious linked resources.

5. The method of claim 1 , further comprising: retrieving historical security information for the security object; determining a time period for the historical security information; and adjusting the threat score based on the historical security information and the time period.

6. The method of claim 1 , further comprising: determining a date when the first linked resource was determined; and determining a threat score associated with the first linked resource based on the date.

7. The method of claim 1 , wherein the threat score is determined via a graph database, wherein the security object, the indicator, the first linked resource, and the second linked resource are represented by nodes of a graph, and wherein links between the security object, the indicator, the first linked resource and the second linked resource are represented by labeled edges of the graph.

8. A system comprising: a processor; and a memory to store instructions that, when executed by the processor, cause the processor to: determine a change in malicious activity for a security object; identify a time period of the change; determine a first threat score associated with the security object; determine a plurality of linked resources in a security database associated with a database record of the security object; determine, for each linked resource of the plurality of linked resources, an associated threat score based on the time period, the first threat score, and a relationship between the each linked resource and the security object; determine a number of levels between a first linked resource of the plurality of linked resources and a second linked resource of the plurality of linked resources; compare the number to a threshold; and determine an influence of the second linked resource on the associated threat score for each linked resource based on the comparison.

9. The system of claim 8 , wherein the instructions, when executed by the processor, further cause the processor to: cause the influence to be lower in response to the number being above the threshold.

10. The system of claim 8 , wherein the instructions, when executed by the processor, further cause the processor to: determine a date when each linked resource of the plurality of linked resources was determined; and adjust the threat score associated with the each linked resource based on the date when the each linked resource was determined.

11. A non-transitory machine-readable storage medium storing instructions that, when executed by a processor of a computing device, cause the processor to: determine a change in malicious activity for a security object; identify an indicator that provides contextual information for the security object; determine a plurality of linked resources that are associated with a database record of the security object; determine, for each linked resource of the plurality of linked resources, a relationship between the security object and the each linked resource; determine a linked resource threat score for the each linked resource of the plurality of linked resources; determine a number of linked resources of the plurality of linked resources that are classified as malicious; determine a number of levels between a first linked resource of the plurality of linked resources and a second linked resource of the plurality of linked resources; compare the number of levels to a threshold; determine an influence of the second linked resource on the first linked resource based on the comparison; and determine a threat score associated with the security object based on the indicator, the relationship between the security object and the each linked resource of the plurality of linked resources, the number of linked resources of the plurality of linked resources that are classified as malicious, and the influence.

12. The non-transitory machine-readable storage medium of claim 11 , wherein the instructions, when executed by the processor, further cause the processor to: determine a confidence score for the database record based on the number of linked resources of the plurality of linked resources that are classified as malicious.

13. The non-transitory machine-readable storage medium of claim 11 , wherein the instructions, when executed by the processor, further cause the processor to: determine a threat score for each linked resource of the plurality of linked resources based on the indicator, the threat score of the security object and a relationship between the indicator and the each linked resource.

14. The method of claim 1 , wherein the indicator represents information to observe to determine whether the security object is associated with a security threat or a security vulnerability.

15. The method of claim 1 , further comprising: identifying a time period corresponding to the change in a malicious activity; and determining threat scores for the first linked resource and the second linked resource based on the time period.

16. The method of claim 1 , wherein determining the influence comprises causing the influence to be lower in response to the number being above the threshold.

17. The non-transitory machine-readable storage medium of claim 11 , wherein the instructions, when executed by the processor, further cause the processor to cause the influence to be lower in response to the number of levels being above the threshold.